How safe is your password?

Of all the things that make me jump up on my security soapbox, having my parents tell me their Wi-Fi password is 123456 is right up there.

While this lack of devotion to digital security is a concern to me, it appears that they’re not alone – last year’s top four passwords: “123456”, “password”, “12345678”, and “qwerty” are the equivalent of locking your front door, but blue-tacking the key to the lock.

This month is iiNet Security Month and, to kick things off, we’re taking a look at passwords – the good, the bad and the very ugly, and what you can do to keep yourself secure when online.

What can you do?

The best way to keep your account secure is to constantly update your password. We’re not talking once a year or every two years; if you want to make sure your account is secure then changing your password monthly is the way to go.

Simply changing your password isn’t the silver bullet for your privacy worries though. You also have to choose a password that’s safe and extremely difficult to crack. While you may think that ‘qwerty’ is a cool password, or ‘Qwerty1234’ is a safe version of a cool password, in reality they’re neither cool nor safe.

Now, thinking up a new password takes a fair bit of effort sometimes, and simply adding a number to your previous password (yes, that means you shouldn’t go from ‘FreshPrince1990’ to ‘FreshPrince1991’). Thankfully, it’s iiNet to the rescue with a handy password generator that gives you a secure password with just the click of a mouse.

For iiNet customers – this handy tool is located in the ‘Change Your Password’ section of Toolbox, while for Westnet customers; it resides in the same portion of MyAccount.

Simply click the ‘Generate Password’ button at the bottom of the page and we’ll generate a password which follows our five guidelines:

Mix your cases – Our passwords are case sensitive, so mixing between upper and lower case is a must.Numbers – Like all good geeks, we love numbers – be sure to include them in your password.Avoid the obvious – Simple passwords might be easy to remember, but the easier they are to remember the easier they are for someone else to guess. One big no-no is including your username in your password, alongside dictionary words, and the names of your family and friends.Length wins – Short passwords are much easier to guess; your password should be a minimum of nine characters long.No white space – Keep the white space out of your password and you make your password harder to pick.

What can we do?

Getting our customers to update their passwords regularly is one massive step to staying secure online, however we understand it’s a two-way street.

So, in the spirit of safe passwords, we’ve decided to run an awesome competition.
We’ve got two Samsung Galaxy Note 3s and three Samsung Galaxy S4s up for grabs for anyone who changes their password between now and 30 April 2014.

To be in the running, all you need to do is update your password and ensure it meets the guidelines above. It’s that simple!

So what are you waiting for? Make the switch to your password today and not only will you make your account safer, you’ll also be in the running for some awesome prizes!

Rebecca is iiNet's Compliance Manager. In between keeping our customers safe online and explaining to coworkers how she would've written the ending to Lost, she likes gesturing wildly with a wine glass to accent her statements and wading through YouTube for the latest "funniest thing ever."

I am sick of company that think we only have ONE website that requires a password and then they force you to change your password or block your account. I have at least 10 accounts that have passwords. These so called experts say change them once a month that 120 a year you have to create and remember as you should not write them down or store them in your computer. Sorry my brain is getting to old for all that. I have trouble using the PC let alone changeing 120 or more passwords a year
Mine is staying the same until the bullies make me change!!!!

I hate complex passwords, so hard to remember. Passphrases are easier to remember and hard to guess, something like yourmotherwearsarmyboots but most “secure” sites limit the mumber of characters to about 14 some even less.

On another other note, of changing your password monthly, considering that the change also effects “email client, modem or router password settings” it actually becomes slightly impractical and in most cases leads to more support calls as people forget which password they are using if it changes so regularly and forces them to write it down, which beats the purpose of changing it.

I often do not read suppliers newsletters , but yours is easy to read and to the point. It is to inform us – straight out. Thanks – good advice. Passwords of the future article a very relevant consideration.
Sooo many passwords. Need to update. We have been a customer since Noah, and should heed your advice,; it is always excellent. Thanks !

I will update my passwords monthly if you can tell me a safe place to store them. With 30 or more different (as advised) passwords, each changing monthly, obviously they need to be stored somewhere that is both safe and easily accessible. On paper? Insecure. In a file on my computer? Insecure. In Cloud storage? Insecure. And so on. Nobody addresses this problem.
JBR

@Joan Rosenthal,
Easy – get a password store, Lastpass, Keepass, Password Safe. I use the last – all are good. However I can see no point in changing passwords monthly – the only way the baddies will get my password is if Iinet is hacked, and then hopefully they will tell us.

You people are so illogical you make me angry. Sure you you can make a very cryptic password but then you have to write it down!!!! Surely this defeats the purpose. Have it written on a piece of paper in your wallet, loose your wallet…doh! And why is it that very person that expects you to use a password seems to think that it will be the only the password you will ever have. You even need a password to buy theatre tickets these days! Why can’t there be a standard format of No. of characters, need for digits &/or capitals etc? Have a logical, practical think about it! Be honest…what do you do in reality.

Why won’t the comments I made a couple of minutes ago be published ?…What a sham…I am even more angry now. You people need to wake up to the real world. I am still absolutely annoyed you changed the Westnet webmail by replacing it with a clapped out system that simply does not work. Hey! Look at that…”Westnet” is not even recognised on the spell checker on your own website! Far too silly.

“changing your password in toolbox will mean a change to your email client, modem or router password settings as well” Sorry, this confuses me. Does this just mean the new password will apply to everything without further action?

Change another of my gazillion passwords and PINS again! What I need is a memory chip in the brain so that when I look at an website or ATM, the correct (current!) password instantly leaps into mind. The rules suggested – mix cases etc. are a recipe for failure to remember (was the first letter upper case or the third?)so we write them down – great security. Time someone invented a new system!

The safest passwords use “extended characters” to make it harder to crack. Some simple ways to incorporate these is to replace “a” with “@” and “l” or “I” with the “pipe” character “|”. You can make up your own with whatever works for you – e.g. replace E with & and so on.

Banks (among others) block any access at all after a small number of erroneous password “tries”. Cannot iinet do the same? It is a technique which stops most automatic password cracking activities, and would more-or-less take the onus off the individual to remember his or her continually changed password.
(I presume that blocking access for only 24 hours would work nearly as well).

Hi, If I change my Westnet account password, then I’m afraid my modem won’t recognise it and won’t work again unless I update the password in the modem settings, this is where I’m getting confused and need help. Thanks

I have so many different passwords for every site I go on what is a successful way to remember them all! I spend a great deal of time resetting forgotten passwords and being shut out of my own accounts, tedious to say the least.

The data cited in the post is referring to information released by SplashData related to other public passwords collected throughout 2013. These do not reflect any information related to the passwords chosen by our own customers for their services.

In addition, the requirements for passwords chosen by our customers would ensure that the quoted items above are not eligible to be used as passwords give how insecure they are.

While every organisation would like it if people change their passwords monthly (if not hourly), the relaity is that excessive enforcement of updating passwords leads to LESS security.

For example you state that simply updating the number does not make the password secure, but most of the time that’s what people that are forced to enter a new password do!

If people DO follow the advice of not reusing a password and updating numbers/letters, then they tend to write the passwords down, or even attach them to their computer screen. How secure is that?

IMHO the best compromise is to ensure a secure password is used originally, and then to maintain the spyware, antivirus and other security measures on the computer. Most passwords are not guessed, but taken from unsecured computers.

A new phone would be good as I just might be able to navigate it better than my computer.
My thanks as always to the support team who never seem to get sick of me???? And yes I will change my password as everyone seems to know it!

Which iiNet password am I supposed to be changing? There seems to be two, one to log into iiNet and others for my mail accounts. By the way why am I not credited with the time I spent as an Ozemail subscriber in my personal details?

We recommend changing or updating any passwords that may not meet the current suggestions above or requirements outlined on the password change page in Toolbox. Additionally, if you haven’t changed your password in some time it may be worth updating the password as well.

If there’s any issues in changing passwords or if you’d like us to help look into your recorded tenure it may be best to give our support team a call on 13 22 58.

@Tal Waterhouse,
I really do understand what this is about but I am a simple person with a simple life and have a hard time memorising numbers and because oof polio my hand has a shake of its own and for me I don’t care any more what people steal as I’m unable to play their games and karma will get back at them .

I’ll reset my password,though it’s like over 10 mixed characters already 😉
I can’t believe 12345678 and qwerty are being used to secure an account!!!
Thanks for the great service Westnet and we could really use a notebook so thanks for the chance to win one!

Thank you for the valuable advice. It’s a timely reminder as several of my friends have had their computers hacked and therefore my details may have been compromised. Change of password imminent.
As a carer in a remote area of Tasmania, the Samsungs would be great.
K

At 70 plus years I value the few remaining ones: generating new passwords is top of my hate list. (When will new babies be presented to their proud parents, when they, the babies already bear a brand new, unique, uncopyable barcode they will be able to use for the rest of their lives?)
However – bye while I go and update my iinet password.

Giving away Samsung phones gives the message that they don’t sell, and need your help. Or that Samsung are giving you a sling to do it.
I’d be more impressed if you were giving away iPhone 5S as well. That would show you really mean business with these passwords. How about it guys?

Good idea – change your password to a higher security configuration and Bob’s your uncle. It’s a heck of a shame you didn’t then go on to explain the caveats that appear as soon as you do change your password, namely that you then have to change a whole load more settings (without any explanation of how to do that).
In short: good idea but lousy explanation which entirely failed to demonstrate the entirety of the problem.
Recommend: do better next time.

Safe passwords are, of course, vital to on-line security, and there is no reason not to use a good, strong password on your iinet account. However, unless some unusual special circumstance applies to you, there is no good reason to change your password regularly, and several excellent reasons not to.

Most importantly among these, it is impossible to memorise a frequently-changed password, so (of course) you write it down – you have no other choice. And you write it down somewhere where you can find it easily, because you have to refer to your notes every time you want to log in. A frequently-changed password, in short, is LESS secure than a stable one. It also imposes a significantly greater time and trouble burden on the user, and on the administration system.

Yes, by all means have a strong password, particularly so on accounts which matter a lot (your banking, for example). On accounts which are of no real consequence (such as, for most people, their iinet account) it is less important, though still of course a good practice. Most people have to battle with a vast number of different passwords and PINs for the many different things we do – I suppose I have about a hundred, certainly too many to count easily, and I shouldn’t think that is unusual – and most of these passwords are for things which simply don’t matter very much. If you use your iinet account for email, having your password compromised would be a bit awkward and embarrasing; if you email another way, then it’s a bit hard to see how it could do any real or lasting harm at all.

But be that as it may, a stronger password can’t do any harm and could just save a little trouble later on, so you might as well. But as for the damnfoolishness of changing it every month, that’s a hoary old myth and it increases your risk rather than reducing it. The only place in which regular password changes are useful and indeed strongly recommended is a shared environment such as a large office where many people have access to a single store of data, and changing the password regularly defends against things like digruntled former employees handing the passwords over to unauthorised outsiders. Obviously, that doesn’t apply to individual accounts for individual email and not much else.

Rebecca, I love a woman with a good command of English, someone who can get the point across but make us laugh. I am one of those parents btw. In fact the oldies are on the verge of takin over the hood, ha ha, just joking, rubbish reference wasn’t it! Ok will think about the password, but my real dilemma is, how many passwords will fit on the bottom of the office pot plant???

Your article was persuasive about the need for a secure password that is difficult to crack. But it didn’t actually convince me why I need to change it monthly. I have a safe password that would be very difficult to crack so why exactly should I have to keep changing it?

I have never ever won anything in my life!!!!!!!!!!!! But if I did I would want it to be the new SAMSUNG S4!!!!!!!!!!!!! So just putting it out there to the UNIVERSE that I would love to win a new Samsung S4 mobile!

If security is a goal, hopefully the practice of shipping letters out with account password along with modems to new customers has stopped since I joined.
Also, giving my account password to staff over the phone isn’t great either considering its linked to the email login too…

I just don’t get this paranoia with passwords. There is nothing on my computer that is critically confidential.
I don’t use it for any banking; for
most bill paying, it is cheaper to post a cheque than pay credit card processing charges.
I’m just an old Luddite, but what’s the harm?

When I sign on to iinet I was told the given password could not be changedIt is mix of capitals, lowercase letters and number. Can I really change from this to one i CAN REMEMBER AS THIS ONE IS SO DIFFICULT AND ONE MISTAKE AND I AM OUT

Yes you can change it.
The password needs to contain the following:
it must be at least 9 characters
it must contain a mix of upper and lower case characters.
it must contain at least one number (0-9)
it must not be based on your username
it must not contain spaces or tabs

Thanks for all the advise about mixing the case and use of numbers. BUT your website does not allow you to type in a password. It forces you to generate one then have you type it in the as a reconfirm.
– Don’t forget to log into your router and make the change.

Guilty as charged in regard to keeping passwords ‘memory friendly’…however,after my friend’s computer was hacked, now understanding the importance of changing passwords regularly…thanks iinet for reminder (and a great prize)!

Quite a few free programs on the internet are available Norton being one of them will generate any number of passwords to any length just cut and paste into a word doc if the website will allow cut and paste some do not. Keep the doc on a usb stick and removing it when not in use keeps it safe.

I updated my password this month as I had a breach on my credit card and my kids advised me to change my passwords on everything so I changed my iinet password which I hadnt done for a long time. Makes you think

I have had the same password given to me since this company was TIG, then ihug and now iinet….kinda think it must be pretty secure and hate to change it after at least 15 years. But maybe my luck is running out so will follow your advice.

But Rebecca you still haven’t clarified which iinet password we need to update. Are all these iinet passwords really needed? As far as I can tell, we have a password for iinet toolbox, one for iinet naked DSL, one for iinet wireless and one for iinet wifi network, and one for iinet VOIP! I forget which password goes with which, and I have no idea which one you want me to change.

Hi Rebecca,
That’s sounds great except when I when to change my password in toolbox I got this message of warning first:
Changing your password in toolbox will mean a change to your email client, modem or router password settings as well.
Great – the slippery slope to nothing working. When I clicked on the link to what that means there was nothing but a list of other stuff.
All too hard!! Just wanna change my password not reconfigure my whole set-up!

You can log in to Toolbox, with your iiNet username and current password, and click on ‘Account Tools’
From there, you’ll have the option to click on “Change your password” and then either generate one or create your own.
You may need to also update your modem log in details afterwards.

Is this a scam? iiNet is Giving away a nice phone for what., for changing password??? Hmmm…
I don’t get it…!?
Listen up people, If this is true I would receive one, long time ago.
I change my password almost on daily basis, religiously.
My passwords are so good and so secure that even I can’t remember the darn thing.
So how come iiNet hasn’t rewarded me already with nice new phone if they are concerned about security of their valued customers.
I think it is scam

A suggestion for those who have difficulty remembering lots of passwords – get yourself a hardware encrypted USBFlash drive like those from IronKey or Kingston DataTraveller 4000, 5000 or 6000. You can store your passwords in an Excel or even text file and they will be impossible to retrieve for anyone without the flash drive’s password (particularly on the DT6000) (so you only need to remember one complex password to keep all your passwords in order).

In response to the article by isn’t, sure this is basic recommended security practice, but it is utterly unrealistic for 99% of users. It is impossible to enforce in corporate enterprise where their jobs are on the line (hence the existence of passcards and RFID chipped dongles), so you can forget about home users doing more than just updating their passwords once or twice before losing interest.

It is also essentially completely unnecessary for an ISP account, and smacks a bit of an attempt to offload (or at least share) responsibility for security. While my iiNet account has a decently complex password, if it is compromised it only affects my home Internet connection – I don’t use it for anything else and it could be reset trivially. I don’t see the point in anyone even attempting to compromise it, and the only way they could would be through some iiNet compromise anyway (brute force dictionary attack, but it would take decades, or access to compromised database, or social engineering). So if my password is compromised I’ll be asking you some awkward questions, iiNet.

For the rest of you, don’t use your ISP password for anything else and you shouldn’t have to worry about it

Have you stopped sending the passwords in clear text in email when someone claims to have forgotten theirs. A few years ago I was having trouble signing in and contacted support. They sent me an email with my password. Not very secure. And when I mentioned this in reply, there was no response back. Not much point in choosing a secure password if a snoop of email will find it.

Just wondering why is it so important to keep the toolbox login details safe ? Can someone for example actually use my internet quota by logging in from somewhere else ? or will they just be able to access my information and hence manipulate/tamper with my service ?

changed my password – and what a pain that was! Had no idea I’d have to reconfigure so much other stuff. It took way too much time even though your staff were really helpful. Hope I win a nice new phone.

I know lots of other people have asked this question but it still doesn’t seem to be answered.I’ve changed my password and tried to work out what it means by “you may need to change the password on your modem/router” but when I clicked the links one is the broken and the other takes me to instructions on how to set it all up but nothing on how to change the password. Scared to shut down now in case I can’t get back in. Does it have to be so hard? Couldn’t you just provide instructions for the whole process?

Search

Protecting the privacy of your personal information is important to us.
Check out our privacy statement to learn more about how we collect your information,
what we use it for, and who we share it with.